Splunk Search

How to extract Json file format as Fields using props.conf and Transform.conf file?

karthi2809
Builder

Hi ,
Thanks in Advance,

My json file .

how to extract fields using props and transform configuration file.

{
"AAA": {
"modified_files": [
"a/D:\\\\splunk\\\\A / ui/.env",
"a/D:\\\\splunk\\\\A / ui/.env.example",
"a/D:\\\\splunk\\\\B / ui/.env",
"a/D:\\\\splunk\\\\B / ui/.env.example"
]
}
}{
"BBB": {
"modified_files": [
"a/D:\\\\splunk\\\\A / ui/.env",
"a/D:\\\\splunk\\\\A / ui/.env.example",
"a/D:\\\\splunk\\\\B / ui/.env",
"a/D:\\\\splunk\\\\B / ui/.env.example"
]
}
}{
"CCC": {
"modified_files": [
"a/D:\\\\splunk\\\\A / ui/.env",
"a/D:\\\\splunk\\\\A / ui/.env.example",
"a/D:\\\\splunk\\\\B / ui/.env",
"a/D:\\\\splunk\\\\B / ui/.env.example"
]
}
}{
"DDD": {
"modified_files": [
"a/D:\\\\splunk\\\\A / ui/.env",
"a/D:\\\\splunk\\\\A / ui/.env.example",
"a/D:\\\\splunk\\\\B / ui/.env",
"a/D:\\\\splunk\\\\B / ui/.env.example"
]
}
}

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @karthi2809,

did you explored the INDEXED_EXTRACTIONS=JSON option in props.conf?

You can find more infos at https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Propsconf

in few words, in props.conf put

[your_sourcetype]
INDEXED_EXTRACTIONS = JSON 

Ciao.

Giuseppe

0 Karma

karthi2809
Builder

 

{
"AAA": {
"modified_files": [
"a/D:\\\\splunk\\\\A / ui/.env",
"a/D:\\\\splunk\\\\A / ui/.env.example",
"a/D:\\\\splunk\\\\B / ui/.env",
"a/D:\\\\splunk\\\\B / ui/.env.example"
]
}
}{
"BBB": {
"modified_files": [
"a/D:\\\\splunk\\\\A / ui/.env",
"a/D:\\\\splunk\\\\A / ui/.env.example",
"a/D:\\\\splunk\\\\B / ui/.env",
"a/D:\\\\splunk\\\\B / ui/.env.example"
]
}
}{
"CCC": {
"modified_files": [
"a/D:\\\\splunk\\\\A / ui/.env",
"a/D:\\\\splunk\\\\A / ui/.env.example",
"a/D:\\\\splunk\\\\B / ui/.env",
"a/D:\\\\splunk\\\\B / ui/.env.example"
]
}
}{
"DDD": {
"modified_files": [
"a/D:\\\\splunk\\\\A / ui/.env",
"a/D:\\\\splunk\\\\A / ui/.env.example",
"a/D:\\\\splunk\\\\B / ui/.env",
"a/D:\\\\splunk\\\\B / ui/.env.example"
]
}
}

 

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @karthi2809,

this isn't a JSON format, is this the full log or a part of it?

if it's a part of it, please share the full log,

Anyway, using an extraction with INDEXED_ENTRACTIONS = JSON, you have the following fields

gcusello_0-1654592942756.png

 

Ciao.

Giuseppe

0 Karma

karthi2809
Builder

Hi @gcusello ,

Below the result of the json log file.

 

{
  "AAA": {
    "modified_files": [
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/.git/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/.git/config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/.git/index", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/.git/logs/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/.git/logs/refs/heads/dev", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/.git/logs/refs/heads/master", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/.git/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/.git/idx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/.git/pack", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/.git/refs/heads/dev", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/.git/refs/heads/master", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/.git/refs/remotes/origin/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/Database/2021.10_sql", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/VisualStudio2005/WebService.sln", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/VisualStudio2005/WebSite.sln", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/Web/WebSite/lu.csproj", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/Web/WebSite/Web.DEV.config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/Web/WebSite/Web.config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/Web/WebSite/Web.config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/Web/WebSite/Web..config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/Web/WebSite/Web.PP.config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/Web/WebSite/Web.config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/Web/WebSite/Web.QA.config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_AAA/lu/Web/WebSite/Web.SIT.config"
    ]
  }
}{
  "BBB": {
    "modified_files": [
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_BBB/ContinuousIntegration/.git/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_BBB/ContinuousIntegration/.git/config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_BBB/ContinuousIntegration/.git/index", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_BBB/ContinuousIntegration/.git/logs/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_BBB/ContinuousIntegration/.git/logs/refs/heads/feature/new-server-updates", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_BBB/ContinuousIntegration/.git/logs/refs/heads/integration", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_BBB/ContinuousIntegration/.git/logs/refs/remotes/origin/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_BBB/ContinuousIntegration/.git/objects/pack/pack-87d6b8ab05803d2bd514f956bb3ee97eb5db6d4d.idx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_BBB/ContinuousIntegration/.git/objects/pack/pack-87d6b8ab05803d2bd514f956bb3ee97eb5db6d4d.pack", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_BBB/ContinuousIntegration/.git/refs/heads/feature/new-server-updates", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_BBB/ContinuousIntegration/.git/refs/heads/integration", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_BBB/ContinuousIntegration/.git/refs/remotes/origin/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_BBB/ContinuousIntegration/BBB.Build/BBB.Build.psm1", 
    ]
  }
}{
  "CCC": {
    "modified_files": [
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.git/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.git/config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.git/index", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.git/logs/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.git/logs/refs/heads/BLTSFix", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.git/logs/refs/heads/dev", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.git/logs/refs/remotes/origin/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.git/objects/pack/pack-.idx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.git/objects/pack/pack-1.pack", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.git/objects/pack/pack-f067c2bff747ce861.idx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.git/packed-refs", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.git/refs/heads/BLTSFix", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.git/refs/heads/dev", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.git/refs/remotes/origin/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/.vscode/launch.json", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/App/WebService/BltsService.csproj", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/App/WebService/Dare.cs", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/App/WebService/Web.$$OAT.config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/App/WebService/Web.config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/Database/2021.9_JIRA15219_ProductCodes/01_JIRA15219_ProductCodes_Backup.sql", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/Database/2021.9_JIRA15219_ProductCodes/02_JIRA15219_BLTS_ProductCodes.sql", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/Database/2021.9_JIRA15219_ProductCodes/JIRA15219_ProductCode_BackoutDBScript.sql", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/Web/WebSite/Blts.csproj", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_CCC/BLTS/Web/WebSite/Web.$$OAT.config"
    ]
  }
}{
  "DDD": {
    "modified_files": [
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/.git/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/.git/config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/.git/index", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/.git/logs/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/.git/logs/refs/heads/BBB-11392_BU_$$Replication", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/.git/logs/refs/heads/dev", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/.git/logs/refs/remotes/origin/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/.git/objects/pack/pack-f46eea35cf14742a81d21f669f667e4df3bdc2a6.idx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/.git/objects/pack/pack-f46eea35cf14742a81d21f669f667e4df3bdc2a6.pack", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/.git/refs/heads/BBB-11392_BU_$$Replication", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/.git/refs/heads/dev", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/.git/refs/remotes/origin/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/.gitignore", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Apps/BOController/Controller.cpp", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Apps/CollateralEngine/ZAddDAO.cpp", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Apps/RISSearch/SearchRis.cpp", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Apps/SoapComm/SoapGenerator.cpp", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Apps/binaries/duplicateaccounts.xsl", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Apps/binaries/selectedentities.xsl", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Apps/ccmspersist/XMLHelper.cpp", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/BOExtract.dtsConfig", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS-SSIS.database", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS-SSIS.dtproj", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS-SSIS.sln", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.APRA.Extract.Tables.xml", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.APRA.Extract.dtsConfig", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.APRA.Extract.dtsx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.CHARM.Batch.DEV.dtsConfig", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.CHARM.Batch.NewDB.DEV.dtsConfig", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.CHARM.Extract.NewDB.dtsx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.CHARM.Extract.dtsx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.Data.Cleanse.DEV.dtsConfig", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.Data.Cleanse.dtsx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.MasterData.Migration.DEV.dtsConfig", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.MasterData.Migration.dtsx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.RSDS.Extract.Tables.xml", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.RSDS.Extract.dtsConfig", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.RSDS.Extract.dtsx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.RefData.Migration.DEV.dtsConfig", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS.RefData.Migration.dtsx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS_Cleanup.dtsx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS_CustomerRefresh.dtsx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS_Orion_AuditCertificate.dtsx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS_RIS_BOExtraction.dtsx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CCMS_RIS_FOExtraction.dtsx", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/CustRefresh.dtsConfig", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/FOExtract.dtsConfig", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Batch/CCMS-SSIS/Project.params", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/CI/script/nant/ccms_app_registry_nzoat.xml", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/CI/script/nant/ccms_web_registry_nzoat.xml", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Database/2021.11_JIRA15401_BulkUpdate/01_JIRA15401_BulkUpdate_DBScript_Backup.sql", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Database/2021.11_JIRA15401_BulkUpdate/02_JIRA15401_BulkUpdate_DBScript.sql", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Database/R2021.2/BackoutScripts/1.DROP_viw_CCMS_To_Elastic.sql", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Database/R2021.2/BackoutScripts/pra_Rpt_ReportableEvents_ES_Backout.sql", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Database/R2021.2/ChangeScripts/1.CREATE_viw_CCMS_To_Elastic.sql", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_DDD/CCMS/Database/R2021.2/ChangeScripts/pra_Rpt_ReportableEvents_ES.sql"
    ]
  }
}{
  "EEE": {
    "modified_files": [
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###.git/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###.git/config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###.git/index", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###.git/logs/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/.git/logs/refs/heads/BBB-15109_add_pk_tblOrgUnitBU", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###.git/logs/refs/heads/dev", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###.git/logs/refs/remotes/origin/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###.", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###.", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/.git/refs/heads/BBB-15109_add_pk_tblOrgUnitBU", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###.git/refs/heads/dev", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###.git/refs/remotes/origin/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###App/WebService/BUPS.Service.csproj", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###App/WebService/Web.$$OAT.config", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###Web/Common/DropDownListExtd/DropDownListExtd.csproj", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###Web/Common/LoggingManager/LoggingManager.csproj", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###Web/Common/MasterPages/Control/MasterPages", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###", 
      "a/D:\\\\splunk_code_replication\\\\Repos\\\\Fri_Jun_3_17-34-04_2022\\\\$$_EEE/BUPS/###"
    ]
  }
}

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @karthi2809,

as I said, using the INDEXED_EXTRACTIONS = JSON in props.conf, you have the fields.

Ciao.

Giuseppe

 

0 Karma

karthi2809
Builder

Hi @gcusello @yuanliu 

In my props.conf file :

[code_replication_json]
DATETIME_CONFIG = CURRENT
LINE_BREAKER = (#%$@)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = true
TRUNCATE = 0
MAX_EVENTS = 10000
INDEXED_EXTRACTIONS = json
KV_MODE = json

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @karthi2809,

and does it run?

if not, could you share a sample of your logs using the Insert/Edit Code Sample button (</>)?

Ciao.

Giuseppe

0 Karma

karthi2809
Builder

@gcusello  Shared logs above.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @karthi2809,

I already answered to your message: using the INDEXED_EXTRACTIONS=JSON you have five fields:

gcusello_0-1655274366606.png

Isn't this the result you want?

What's the result you want?

Ciao.

Giuseppe

0 Karma

karthi2809
Builder

No That is not worked.

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Maybe you are looking for kv_mode=json? Configure automatic key-value field extraction

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...